APD/GBA (Belgium) - 72/2021: Difference between revisions

From GDPRhub
No edit summary
No edit summary
 
Line 54: Line 54:
}}
}}


The Belgian DPA issued a reprimand against a public authority that shared an audit report including personal data to third parties, without a proper legal basis, and that did not answer to the access request of a complainant in due time.  
The Belgian DPA issued a reprimand against a public authority that shared an audit report including personal data to third parties without a proper legal basis. In addition, the controller was found in violation of the GDPR for not answering the access request in due time.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
A public administration in charge of supervising the organisations hiring persons with disabilities established an audit report on the situation of the organisation after a complaint from the trade union and some members of the staff.  
A public administration in charge of supervising the organisations hiring persons with disabilities established an audit report on the situation of the organisation after a complaint from the trade union and some members of the staff. The report mentioned some personal data of the director of the organisation (ie, the salary) and was shared with third parties (trade union representatives, social mediator). The director (the complainant) sent an access request to the administration in charge regarding his personal data in the report. The administration did not answer to the request.  
The report mentioned some personal data of the director of the organisation (ie, the salary) and was shared with third parties (trade union representatives, social mediator).  
The director (the complainant) sent an access request to the administration in charge regarding his personal data in the report. The administration did not answer to the request.  
 
 
=== Dispute ===
Can the administration share the personal data of the report with third parties such as the representatives of the trade union and the social mediator when the procedure does not specifically provide for it?
 
 
=== Holding ===
=== Holding ===
The administration did not respect its obligation to inform under Article 12(3), 13(1)(c) and 15(1) GDPR. The sharing of the personal data of the director cannot rely on a proper legal basis such as Article 6(1)(e) since sharing the report with the personal data was not necessary for the performance of the tasks of the administration. In addition, the administration could not rely on Article 6(1)(d) GDPR (vital interests) for communication of the personal data of the director to third parties.  
The administration did not respect its obligation to inform under Article 12(3), 13(1)(c) and 15(1) GDPR. The sharing of the personal data of the director cannot rely on a proper legal basis such as Article 6(1)(e) since sharing the report with the personal data was not necessary for the performance of the tasks of the administration. In addition, the administration could not rely on Article 6(1)(d) GDPR (vital interests) for communication of the personal data of the director to third parties.  

Latest revision as of 11:53, 30 June 2021

APD/GBA (Belgium) - 72/2021
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 6(1)(e) GDPR
Article 12(3) GDPR
Article 13(1)(c) GDPR
Article 15(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 14.06.2021
Published: 14.06.2021
Fine: None
Parties: n/a
National Case Number/Name: 72/2021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Belgian DPA (in FR)
Initial Contributor: n/a

The Belgian DPA issued a reprimand against a public authority that shared an audit report including personal data to third parties without a proper legal basis. In addition, the controller was found in violation of the GDPR for not answering the access request in due time.

English Summary

Facts

A public administration in charge of supervising the organisations hiring persons with disabilities established an audit report on the situation of the organisation after a complaint from the trade union and some members of the staff. The report mentioned some personal data of the director of the organisation (ie, the salary) and was shared with third parties (trade union representatives, social mediator). The director (the complainant) sent an access request to the administration in charge regarding his personal data in the report. The administration did not answer to the request.

Holding

The administration did not respect its obligation to inform under Article 12(3), 13(1)(c) and 15(1) GDPR. The sharing of the personal data of the director cannot rely on a proper legal basis such as Article 6(1)(e) since sharing the report with the personal data was not necessary for the performance of the tasks of the administration. In addition, the administration could not rely on Article 6(1)(d) GDPR (vital interests) for communication of the personal data of the director to third parties.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

                                                                                          1/21










                                                                 Contentious room



                                      Decision on the merits 72/2021 of June 14, 2021







File No .: DOS-2019-02726



Subject: Complaint against a public authority for transmitting a report to third parties

and lack of response within the legal deadline



The Contentious Chamber of the Data Protection Authority (hereinafter APD), made up of

Mr. Hielke Hijmans, chairman, and Messrs C. Boeraeve and R. Robert, members.



Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the

protection of individuals with regard to the processing of personal data

and the free movement of these data, and repealing Directive 95/46 / EC (General Regulation

on Data Protection), hereinafter GDPR;


Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter

LCA);



Given the internal regulations of the Data Protection Authority as approved by the

Chamber of Representatives on December 20, 2018 and published in the Belgian Official Gazette on January 15, 2019;



Having regard to the documents in the file;



Has taken the following decision regarding:

The complainant: Mr X, (hereinafter the complainant), represented by Mr Jean-Yves Gyselinx

Defendant: Agence Y, Beslissing on the merits 72/2021 - 2/21




I. Facts and retroacts of the procedure




        1. On May 15, 2019, the complainant lodged with the Data Protection Authority

            (hereinafter the DPA) a request / complaint form in which he criticizes the

            communication by the controller of a report dated April 3, 2019 to

            trade union representatives, due to the fact that it contains personal data

            personnel about him and in particular his salary. He complains in particular that the

            union representatives would have transferred the information to many other

            fellow trade unionists, who allegedly used the information against him in meetings.



        2. The report, dated April 3, 2019 and entitled "Complaint conclusion report" (hereinafter


            afterwards, "the audit report" or "the report") comes from the Audit & Control Department,

            […] Of the defendant. The report concerns ASBL Z (hereafter ASBL), a

            establishment that has a care authorization issued by Y for

            95 people with disabilities, day and night reception. The

            beneficiaries have an intellectual disability or mental health problems,

            some with significant multiple disabilities. Part of the population present

            complex needs.



        3. The audit report follows on from three groups of complaints that were filed between the

            December 22, 2018 and February 21, 2019, against the non-profit organization on the part, respectively,

            about twenty workers from the non-profit organization, a collective of educators and unions

            […] And […].



        4. The audit examines grievances such as the financial structure of the institution, the

            lack of supervision, incompetence of management as well as

            problems in the quality of care for residents. Out of nine grievances

            mentioned, the report considers that five are founded or generally founded, the four

            others subject to various assessments. The complainant is informed as


            being the director of the non-profit organization.



        5. This audit report was emailed on April 3, 2019 to the complainant and two

            union representatives (identified as being respectively the managers

            and the complainants). The report is also addressed to the social conciliator "in view

            to support the lines of thought that will be discussed during the meeting of this
                                                                1
            afternoon in order to try to resolve this dispute ”.


1
 Email of April 3, 2019. Beslissing on the merits 72/2021 - 3/21





6. On the same day, the complainant replied to the email indicating that he had observed different

    errors in the report and wanting to write a right of reply. On May 8, 2019, he sent

    by e-mail a series of grievances and questions to the defendant concerning

    elements of the report. He also complains about the fact that the report contains his


    salaries that have been sent to union representations. He asks for

    explanations of what he considers to be the breach of data confidentiality

    personal. On May 14, 2019, he sent by email a document entitled "Right to

    reply ".



7. On May 15, 2019, the complainant submitted his request form to the Authority.



8. Initially, the Authority, through the frontline service intervenes

    with the complainant in a mediation phase during which she invites him to exercise

    his right of access to the defendant (letter of May 27, 2019).



9. On June 14, 2019, the complainant replied to the PDA that he never received a response to his

    communications of May 8 and 14, 2019. By letter dated July 22, 2019, the APD

    advises the complainant that the email sent by the complainant on May 8, 2019 does not constitute

    not really a request for access. She invites him to exercise this right with the

    defendant by asking for the legal basis on which the transfer of

    data.



10. The complainant made this request to the defendant on July 23, 2019. The

    August 26, he informed the APD of the lack of response from the defendant. The 10

    September 2019, the APD sends a letter to the defendant asking them to

    respond to the requester and send a copy of this response to the DPA. The

    defendant confirms receipt of the request on September 18, 2019 and indicates

    that a response will follow as soon as possible.



11. The Respondent's response is dated September 26, 2019. In it, the

    defendant apologizes for its late response. It then indicates that

    the purpose of the data processing was to investigate a complaint lodged against

    of the complainant, in accordance with Article 1369.84 of the Walloon Regulatory Code of

    Social and Health Action of July 4, 2013 (hereafter: the regulatory code). It

    refers the complainant to the Privacy Policy which states that the data

    are transmitted to third parties when required to participate in the investigation of the case. The

    defendant also provides elements of contextualization of the Beslissing situation on the merits 72/2021 - 4/21



    by evoking an abnormally long social conflict that poses risks to the

    be beneficiaries of the establishment.



12. By email of September 27, 2019, the complainant replied to the letter from the

    defendant. He challenges the legality of the transmission of his data to unions,


    given that they are also the authors of the complaint to Y and that the

    transfer was not based on his consent. It indicates that this transfer allowed

    unions to use their data for a purpose other than that for which they

    had been collected. It also raises the overrun of the legal deadline for

    respond to their access request. He asks the APD to register his complaint and declare it

    admissible.



13. On October 18, 2019, the Frontline Service of the APD, seeing the last

    communication from the complainant, notes that the mediation initiated was not successful and

    seeks the consent of the complainant for the file to be forwarded as a complaint to the

    Contentious chamber. On November 5, 2019, after obtaining the agreement of

    complainant, the Frontline Service declares the complaint admissible on the basis of the

    Articles 58 and 60 of the LCA and transmits it to the Litigation Chamber in accordance with

    Article 62, § 1 of the LCA.



14. On December 3, 2019, the Litigation Chamber decides that the case can be processed

    on the merits and inform the parties thereof. It establishes that the grievor's grievances against

    of Y concern, on the one hand, compliance with the data protection rules of the

    communication of the report containing personal data on

    concerning (his salary) to union representatives, including with regard to

    the information that Y communicates to the data subjects about the processing

    of their personal data (articles 5 and 6 of the GDPR and articles 12 to 14 of the

    GDPR), and on the other hand, the compliance of the response given to the complainant by Y, following

    the exercise by the latter of his right of access (Articles 12 and 15 of the GDPR).



15. On the same day, the Contentious Chamber informs the parties of its decision to deal with

    the case on the merits and establish a timetable for the exchange of conclusions.



16. On 12 December 2019, the defendant confirms receipt of the letter from the Chamber

    contentious and asks to receive a copy of the documents in the file which it does not

    not yet have. The secretariat of the contentious chamber sends the documents

    requested the same day. Beslissing on the merits 72/2021 - 5/21




        17. On 24 December 2019, the defendant sends these conclusions to the Chamber

            contentious. She first explains that normally, analysis reports,

            such as the audit report of April 3, 2019, have never been communicated to the complainants.

            They only receive a letter informing them of the outcome of the investigation. The

            defendant adds that the case of the non-profit organization is quite special since it

            was the subject of a major social conflict, including a strike that allegedly

            lasted seven weeks. According to the defendant, the role of social consultation was

            therefore become essential to hope to find a solution to the conflict. The report of the

            defendant was eagerly awaited since it made it possible to objectify the complaints made


            by the complainants, which included the trade unions. These grievances

            concerned, among other things, the mode of governance and financial practices. This is

            in this context that the report was transmitted to the conciliator and to the organizations

            unions so that he could serve in the conciliation meeting that took place after

            noon even. The defendant considers that it was not possible for her not to treat

            the subject of the complainant's remuneration in such a context.



        18. As to the exercise of the right of access, the defendant acknowledges the late nature of the

            response, stressing, however, that a response providing the elements

            necessary was eventually transmitted.




        19. Regarding the disclosure of the amount of the complainant's remuneration, the

            defendant recognizes a clumsiness and a lack of precaution but precise

            many elements. It recalls the exceptional nature of the situation and the

            need to find solutions, which prompted him to carry out a balance of

            interests, particularly in view of its essential role in this sector. She explains

            also not to consider itself responsible for actions carried out a posteriori by the

            unions. She also added that her email from April 3, 2019 contained a

            disclaimer.



        20. On January 3, 2020, the complainant informs the Litigation Chamber and the respondent


            to have given a mandate to Me. Gyselinx to represent him. On January 28, 2020, the latter
                                                                                                 2
            sends its conclusions to the contentious chamber and to the defendant. There is

            explains that the report contained not only the salary of the concluding party but

            also the invoicing of [the company…] (a service provider). He points out that the

            defendant admitted his own awkwardness. He also argues that this




2The Contentious Chamber notes that the plaintiff's lawyer refers to the Contentious Chamber as a "court".
The Litigation Chamber reminds the parties that it is an organ of an administrative authority and not an institution
of the judiciary. Beslissing on the merits 72/2021 - 6/21




            disclosure of the salary caused enormous damage in terms of images and forced the

            complainant to withdraw and then leave the management of the non-profit organization. On the principles, he

            stresses that the defendant does not rely on any basis of lawfulness provided for by the

            GDPR (called grounds for justification by the complainant) and explains why it

            considers that neither Article 6.1.d) nor Article 6.1.e) is applicable in the present case.



        21. On February 10, 2020, the defendant sends its pleadings in reply to the

            Contentious chamber. Beyond the points already mentioned in its premieres

            conclusions, the defendant considers that the complainant minimizes the situation in

            which the non-profit organization was at the time of the events and underlines the importance of

            look into executive compensation as well as other budgetary aspects. It

            adds that the complainant does not demonstrate anything of the damage that would have been caused to him and that

            dissemination of the report was supervised and limited to stakeholders only

            identified.



        22. With regard to the basis of legality, the defendant states that it is based on Article 6.1.d)

            since the disastrous living conditions of the beneficiaries of the establishment are

            in connection with the notion of vital interest provided for in this article. The defendant indicates

            also be based on Article 6.1.e) as the seriousness of the grievances impacted

            considerably the quality of life and reception of residents as well as their safety.



        23. On July 1, the plaintiff's lawyer wrote to the Litigation Chamber to inquire about

            the status of the case. The defendant asks a similar question on November 25, 2020.

            On December 10, 2020, the Litigation Chamber responds to both parties that the

            file is still being processed and the decision will be communicated

            when it has been adopted. The contentious chamber regrets the delay it has made

            to address a response to the parties.






PLACE



II. On the grounds for the decision




    1) As to the Beslissing complaints on the merits 72/2021 - 7/21



    24. In accordance with the grievances set out by the complainant, as well as the exchanges of

        conclusions between the parties, the Contentious Chamber considers that several

        issues need to be analyzed.



    25. The first question concerns the legality of the data processing


        personal data of the complainant (Articles 5 and 6 of the GDPR). The second concerns the

        further processing of the data which would have been carried out by certain recipients of the

        audit report. The last question concerns the exercise of the right of access by the

        complainant and the response provided by the defendant (Articles 12 and 15 of the GDPR).



    26. Beyond these questions, in its minutes of December 3, 2019, the Chamber

        contentious had considered that the case also concerned the information that the

        defendant communicates to the persons concerned about the processing of

        their personal data (Articles 12 to 14 of the GDPR). These grievances having been

        addressed neither by the complainant nor by the defendant during the concluding discussions, the

        Litigation Chamber has few elements enabling it to examine

        that question. It will therefore not be considered by the Chamber.

        contentious.





2) Regarding the data processing in dispute



    27. It appears from the documents in the file that the complainant objects to the fact that the audit report

        contains some of his personal data. According to the access request of the

        complainant, this personal data relates to:

        - data concerning his salary;


        - information concerning the company […] (the fact that the complainant is

            also the manager of this service provider of the institution as well as the

            fees and overall billing amount);

        - "hasty conclusions" on management.



    28. In his conclusions the complainant only refers to the first two

        elements. The Contentious Chamber therefore considers that the dispute relates to these two

        different data in the report.



    29. In its pleadings in reply, the defendant objects to the

        the question of data concerning the company […] be addressed, for two reasons.

        First of all, she considers that this is a legal person whose data is not Beslissing on the merits 72/2021 - 8/21



            therefore not covered by the definition of personal data in Article 4.1

            of the GDPR. Then she feels that this item was never brought to her attention.

            before the complainant's conclusions.




        30. The data concerning the company [...] appear in the audit report under the

            “financial package” grievance. It is stated in particular that "The designation of

            Mr. X coincided with the arrival of a new subcontractor of which he is none other than

            the manager. ". This sentence is followed by several others which describe the tasks of

            this company within the non-profit organization as well as elements relating to invoicing. In this

            that the quoted sentence refers directly to the complainant, who is a natural person

            identified, and the fact that he is the manager of this company, the Litigation Chamber

            considers that this is indeed personal data within the meaning of Article 4.1 of

            GDPR. On the other hand, the amounts of fees and global annual invoicing

            cannot be understood as personal data since it does not

            do not refer to an identified or identifiable natural person. Bedroom

            litigation also points out that this information was already in the request

            access notice of 23 July 2019. The respondent cannot therefore argue that it

            was unaware that this was data that was the subject of the dispute.



        31. The Litigation Division also considers that the disputed treatments relate to

            on the one hand on the collection and integration of the aforementioned personal data

            in the audit report and on the other hand on the transmission of this audit report to

            union representatives. Even if this is not part of the grievances put forward by the complainant,

            the Contentious Chamber notes that the second processing (transmission of the report)

            concerns not only the union representatives but also the conciliator

            social. The contentious division's analysis will therefore focus on these two treatments.





    3) As to the lawfulness of the processing (article 6 of the GDPR)




                                              Article 6



                                       Lawfulness of processing



1. Processing is only lawful if, and insofar as, at least one of the following conditions

is met: Beslissing on the merits 72/2021 - 9/21



a) the data subject has consented to the processing of their personal data for

one or more specific purposes;

b) the processing is necessary for the performance of a contract to which the data subject is a party

or the execution of pre-contractual measures taken at the request of the latter;




c) the processing is necessary for compliance with a legal obligation to which the data controller

treatment is submitted;

d) the processing is necessary to protect the vital interests of the data subject or

another natural person;

e) the processing is necessary for the performance of a task of public interest or falling within

the exercise of public authority vested in the controller;

f) the processing is necessary for the purposes of the legitimate interests pursued by the controller

processing or by a third party, unless the interests or freedoms and rights

fundamental aspects of the data subject which require protection of personal data

personal, especially when the data subject is a child.



Point f) of the first subparagraph does not apply to processing carried out by public authorities

in the performance of their missions.



2. Member States may maintain or introduce more specific provisions for

adapt the application of the rules of this Regulation with regard to processing for the purpose of

comply with paragraph 1, points c) and e), determining more precisely the requirements

specific conditions applicable to the processing as well as other measures to ensure processing

lawful and fair, including in other special processing situations as provided for in

chapter IX.



3. The basis for the processing referred to in paragraph 1 (c) and (e) shall be defined by:



(a) Union law; or

b) the law of the Member State to which the controller is subject.



The purposes of the processing are defined in this legal basis or, with regard to the

processing referred to in point (e) of paragraph 1 are necessary for the performance of a task of interest

public or subject to the exercise of public authority vested in the person responsible for

treatment. This legal basis may contain specific provisions to adapt

the application of the rules of this regulation, inter alia: the general conditions governing the

lawfulness of processing by the controller; the types of data that are the subject of

treatment; the people concerned; the entities to which the personal data Beslissing as to the substance 72/2021 - 10/21




can be communicated and the purposes for which they can be; limitation of

purposes; retention periods; and processing operations and procedures, including

measures to ensure lawful and fair processing, such as those provided for in other

special processing situations as provided for in Chapter IX. Union law or

Member State law meets an objective of public interest and is proportionate to the objective

legitimate pursued.




[…] "



         32. During the exercise of the right of access by the complainant, he requested from the

             defendant, the legal basis for the processing of such data. In his response to the law

             access dated September 26, 2019, the defendant explained that the purpose of

             processing "aimed at investigating a complaint lodged against you, in accordance with

             Article 1369/84 of the Walloon Regulatory Code for Social Action and Health of 4

             July 2013. "




         33. In the exchange of conclusions, it appeared that the defendant is claiming the

             Articles 6.1.d) and 6.1.e) of the GDPR as the bases of lawfulness of the processing (called

             grounds for justification by both the complainant and the defendant). The complainant has

             meanwhile, he had the opportunity to challenge the applicability of his bases of legality.



         34. It follows from recital 46 that 'the processing of personal data

             based on the vital interest of another natural person should in principle take place

             only when the processing clearly cannot be based on any other basis

                         3
             legal."

         35. The Contentious Chamber will therefore examine the legal basis of Article 6.1.e) in a

             first place. It will only consider that of Article 6.1.d) if Article 6.1.e) is found to be

             inapplicable in this case.



         36. The defendant argues that the complaints raised against the non-profit organization and their impact on

             the quality of life and the reception of the residents justified his intervention. The complainant

             considers that the processing of the complainant's personal data was in no way


             useful for the execution of the mission.



3
 "The processing of personal data should also be considered lawful when it is necessary for
protect an essential interest in the life of the data subject or that of another natural person. Treatment of
personal data based on the vital interest of another natural person should in principle only take place
when the processing clearly cannot be based on another legal basis. Certain types of treatment may
be justified both by important reasons of public interest and by the vital interests of the data subject, for example
when the treatment is necessary for humanitarian purposes, including to monitor epidemics and their spread, or in
humanitarian emergencies, including natural and man-made disasters. »Beslissing on the merits 72/2021 - 11/21






        37. The defendant is a regional public authority responsible for [matters

            in the social and health sector]. As such, it notably issued a

            payment authorization for the benefit of the non-profit organization. In the context of the litigation at

            examination, the defendant investigated a complaint lodged against the

            defendant, which led to the conclusion of the audit report. It is therefore established that

            the defendant exercises public authority, in the sense that it is the institution

            government in charge of large areas of social action at regional level and that by

            For example, as such, it issues authorizations and investigates complaints. The part


            defend this argument to justify that the treatment can be based on the article

            6.1.e) of the GDPR.


                                                                     4
        38. As already explained in its decision 55/2021, the Contentious Chamber must

            however check that the conditions provided for in Article 6.1.e) are met by

            the species. Under Article 6.3.b) and recital 45 of the GDPR, processing

            based on Article 6.1.e) must meet two conditions:

                       o The data controller must be responsible for carrying out a

                           mission of public interest or relating to the exercise of public authority

                           under a legal basis, whether under European Union law


                           or under the law of the Member State;

                       o The processing must be necessary for the performance of the assignment of interest

                           public or the exercise of public authority.









A legal basis



        39. It appears from the documents in the file that the defendant's audit report was drawn up

            based on article 1369/84 of the Regulatory Code. This article is written as


            follows:



            "Article 1369/84. Any complaint relating to taking charge in a service can be

            formulated in writing to the Agency. The Agency shall inform the

            organizing authority, taking into account the needs of the examination of this request.

            The Agency carries out this examination upon receipt of the complaint and formulates its



4 Decision on the merits 55/2021 of 22 April 2021 (https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-
fond-n-55-2021.pdf) Beslissing as to the merits 72/2021 - 12/21




             conclusions within a maximum period of six months. The Agency informs the complainant, the


             management, the manager of the service and the authorities responsible for the placement and / or

             funding, follow-up to this complaint. "



         40. The Contentious Chamber therefore considers that this article establishes a legal basis which

             framework of the exercise of the public authority of the defendant for the treatments


             contentious, being extended that the general framework for the exercise of public authority

             Complainant is much larger. For the contentious Chamber, it therefore appears

             the exercise of public authority has a legal basis in national law. The

             Contentious roomvadoncexaminersicettebaselegalerfillsprescribed well


             of the GDPR.



Processing necessary for the exercise of public authority




         41. In order for the processing to be lawful on the basis of Article 6.1.e), the purposes of the processing

             must therefore be necessary for the exercise of public authority. As she already has

             developed in its decision on the merits 38/2021, the necessity test is

             essential.




         42. In its Huber judgment, the Court of Justice of the European Union (CJEU) has, in view of

             of this necessary condition, specified: that "with regard to the objective of ensuring

             an equivalent level of protection in all Member States, the concept of

             necessity as it results from Article 7 (e) of Directive 95/46, which aims to


             precisely delimit one of the hypotheses in which the processing of

             personal data is lawful, cannot have a variable content depending on the

             function of the Member States. Therefore, it is an autonomous concept of the law

             community which must be interpreted in such a way as to fully respond

             subject to this Directive as defined in Article 1 (1) thereof ". 7



                                               8
         43. According to his conclusions in this case, the Advocate General

             makes it clear in this regard that "the concept of necessity has a long history in

             community and it is well established as an integral part of the




5 Decision on the merits 38/2021 of 23 March 2021 (https://www.autoriteprotectiondonnees.be/publications/decision-quant-
deep-n-38-2021.pdf)

6 Member States provide that the processing of personal data may only be carried out if: (...) e) it is
necessary for the performance of a mission of public interest or falling within the exercise of public authority vested in the
controller or the third party to whom the data are communicated.

7CJUE, December 16, 2008,, Heinz Huber v. Bundesrepublik Deutschland, C-524/06, para. 52.
8
 Opinion of Advocate General Poiares Maduro presented on April 3, 2008 in the context of the proceedings before the CJU having
resulted in the judgment cited in footnote 15 above (C-524/06). Beslissing on the merits 72/2021 - 13/21




             proportionality. It means that the authority which adopts a measure which undermines

             a fundamental right in order to achieve a justified objective must demonstrate that this


             is the least restrictive measure to achieve this objective. Moreover, if the

             processing of personal data may be liable to infringe the law

             fundamental to respect for private life, Article 8 of the European Convention on

             safeguard of human rights and fundamental freedoms (ECHR) which guarantees

             respect for private and family life is also becoming relevant. As the court has

             stated in the Österreichischer Rundfunk and others judgment, if a national measure is


             incompatible with Article 8 of the ECHR, this measure cannot satisfy

             the requirement of Article 7 (e) of the directive. Article 8, paragraph 2, of the ECHR

             provides that an interference with privacy may be justified if it targets one of the

             objectives listed therein and "in a democratic society, is necessary" to

             one of those goals. The European Court of Human Rights has ruled that the concept


             of "necessity" implies that a "pressing social need" is involved ".



         44. The Article 29 Group also referred to the case law of the Court

             European Human Rights Court (Eur. D.H. Court) to identify the requirement of

             necessity and concludes that the adjective "necessary" thus does not have the flexibility of terms

             such as "admissible", "normal", "useful", "reasonable" or "expedient". 10




         45. In its Michael Schwarz v. Stadt Bochum, the Court of Justice of the Union

             European Union, considers that it concerns "the examination of the necessary

             such processing, the legislator is in particular required to verify whether measures less

             infringements of the rights recognized by Articles 7 and 8 of the Charter are conceivable

             while contributing effectively to the goals of Union regulation by

                     11
             cause "



         46. Following this precedent, it is therefore up to the Contentious Chamber to determine

             if the processing was necessary for the exercise of public authority. So she has it

             established beforehand (see point 31), for the Contentious Chamber


             concerns two processing operations: the processing of the complainant's personal data

             completion of the drafting of the audit report, as well as sending the audit report to

             different parties, including union representatives and the social conciliator.






9
 "Article 29" working group on data protection, "Opinion 06/2014 on the concept of legitimate interest pursued by
the data controller within the meaning of Article 7 of Directive 95/46 / EC ", adopted on April 9, 2014.
10Court eur. D.H., March 25, 1983, Silver et al. United Kingdom, para. 97.

11CJUE, 17 October 2013,, Michael Schwarz v. Stadt Bochum, C-291/12, para. 46. Beslissing on the merits 72/2021 - 14/21



47. With regard to the processing of the complainant's personal data for the

    drafting of the report, the Litigation Chamber notes that it concerns

    only the complainant's salary as director of the non-profit organization and his position as

    manager of a subcontractor (see points 27 and 28). These data were discussed in the

    report during the analysis of the grievance mentioned "financial package" which is found under the


    title A "Management".



48. For the Contentious Chamber, there is no doubt that the processing of data

    the director's salary as well as his position as manager of a subcontractor are

    information that it is necessary to examine during an audit relating, among other things, to the

    management and financial arrangement of an institution. Therefore, the treatment of these

    data is necessary for the exercise of public authority of the defendant who

    consists of dealing with complaints received against the non-profit organization.



49. The second treatment subject to the examination of the contentious division consists of

    sending the audit report to various parties, including union representatives from

    the non-profit organization, who were among the people who lodged a complaint with the

    defendant, as well as the social conciliator. This is the treatment that is

    mainly contested by the complainant in the present case. The complainant

    considers that this processing was in no way necessary for the mission of the

    defendant.



50. The defendant considers that this dispatch was entirely justified in view of

    the specific circumstances of the non-profit organization and the ongoing labor dispute. The transfer of

    report to union representatives and to the conciliator was intended to promote

    consultation and find a solution to the dispute (see point 17).



51. For this processing also, the Litigation Chamber must examine whether it was

    necessary for the exercise of the public authority of the defendant. The criterion of

    "Necessity" as already specified (see point 41 et seq.) Restricts the margin

    assessment of the controller, since he does not authorize him to carry out

    treatments that would only be useful or desirable.



52. It appears from the conclusions of the defendant that the purpose of this processing was to

    allow the use of the report during the social conciliation meeting so that

    the latter can objectify the situation. The aim was therefore to promote the resolution of the

    ongoing social conflict. Beslissing on the merits 72/2021 - 15/21



53. The Respondent justifies the treatment in question by the exceptional situation in

    which was the non-profit organization, due to an unusually long social conflict. The

    Litigation Chamber notes that the extent of the social conflict is underlined in the

    conclusions of the audit report. It also appears from the conclusions of the

    defendant, that "the analysis and conclusions that the agency would bring to the complaint


    filed by union organizations in a common front, became essential

    since they would give a neutral look at the alleged facts "and that" the

    conclusions of the agency were eagerly awaited in order to conduct a final

    attempt at conciliation ”. The purpose of this precise processing was therefore to facilitate the

    social conciliation in progress.



54. It is also clear from the defendant's explanations that this treatment does not

    did not correspond to an ordinary exercise of his public authority, since this

    stresses that "the case of the complainant's institution is quite specific and

    fortunately exceptional ”.



55. The Litigation Chamber recalls that the legal basis for the exercise of authority

    of the defendant limits it to the reception and processing of complaints.

    It does not appear from this legal basis that support for social conciliation or

    social conflict resolution is part of the exercise of public authority

    defendant. It follows that the processing at issue, consisting in transferring the

    audit report to union representatives and the social conciliator, cannot be

    considered necessary for the exercise of the public authority of the defendant.



56. Even if the respondent justifies the treatment by its willingness to support the process

    of social conciliation in progress, the Litigation Chamber notes all the same that the

    legal basis provides that the defendant "informs the complainant, the management, the

    manager of the service and the authorities responsible for the placement and / or

    financing, of the follow-up reserved for this complaint ”, which could have been used by the

    defendant to justify sending the audit report to union representatives

    in particular, since they were also complainants. However, it is necessary to

    note that according to the defendant's own conclusions, "the reports

    of analysis are never communicated to the complainants ". So it seems that this

    provision only obliges the defendant to inform certain categories of

    persons "of the follow-up to the complaint" and in no way bind the defendant

    atransfer the report in question. It follows that the treatment in question cannot

    no longer be justified by this information obligation provided for in the legal basis and

    that it is therefore not necessary for the exercise of public authority by the Respondent. Beslissing on the merits 72/2021 - 16/21






         57. On the basis of the above elements, the Contentious Chamber considers that the

             defendant cannot rely on Article 6.1.e) as the legal basis for the


             processing consisting of sending the report to different recipients, since it

             was not necessary for the exercise of public authority.



         58. The defendant has also indicated that it relies on Article 6.1.d) as a basis for

             lawfulness of the processing, which would imply that the processing is necessary for the

             safeguarding the vital interests of the data subject or of another person

             physical. The Contentious Chamber recalls in this regard that this basis of lawfulness is


             refer to the treatments that are clearly and directly necessary to preserve
                                                      12
             the health of an affected person. Treatment intended to help

             resolution of a labor dispute cannot therefore rely on this basis of

             lawfulness.






             Additional remarks concerning the transmission of the report





         59. If the defendant considered that its intervention in the conciliation was absolutely

             indispensable, it would have been quite open to him to transmit to the unions and the

             social conciliator a version of the report redacted from the personal data


             personnel, or the simple observation that the salary level "is somewhat
                                                                                                13
             higher than the maximum scale of scale 29 (director> 60) of the C.P. […] ". Asset

             at the very least, the defendant could have ensured that the principle of minimization of

             data (article 5.1.c) of the GDPR) when submitting the report. A track of this

             type was moreover mentioned by the defendant itself in its conclusions,

             since it indicates, for example, that it would have been "wiser not to mention


             precisely the amount of the salary ”.





    4) As regards the further processing of the complainant's personal data by the union




         60. In its request for information of May 15, 2019, as well as in letters

             subsequent reports, the complainant indicates that the union members to whom the report



12 "Article 29" working group on data protection, "Opinion 06/2014 on the concept of legitimate interest pursued by

the data controller within the meaning of Article 7 of Directive 95/46 / EC ", adopted on April 9, 2014, p. 20.
13 Audit report of April 3, 2019 p. 5. Beslissing on the merits 72/2021 - 17/21




            have been sent have sent this same document to colleagues who have

            finally sent to the staff of the non-profit organization. The complainant believes that this caused him

            "An extremely complex situation" during the joint committee that took place

            shortly after the report was sent. The complainant also indicates that he suffered

            damage resulting from this further processing of these data (see point 20).




        61. The defendant maintains in its submissions that it cannot control nor a fortiori

            be responsible for the actions of unions and not condone them. It

            draws attention to the disclaimer in the email (see point

            19). In its pleadings in reply, it considers that the complainant does not demonstrate

            in no way its damage, nor their possible link with the transmission of the report.




        62. On the basis of the elements described above, the Contentious Chamber arrives at several

            conclusions. First of all, she finds that the complainant provides no proof of

            this further processing by the unions. Indeed, he repeatedly indicates that

            the unions would have forwarded the report to their colleagues, who would in turn have

            transferred (see point 1). This account, however, is not supported by any element of the

            file, apart from the complainant's statements.




        63. Moreover, even if this subsequent processing is proved, the Chamber

            litigation notes that the complainant does not bind it to any specific violation of the

            GDPR. However, the contentious chamber considers, at first glance and in the absence

            contrary elements brought by the complainant, which the defendant does not seem

            be able to be considered as responsible for the subsequent processing carried out by one

            or more of the report recipients.




        64. Indeed, the Court of Justice has confirmed that for the identification of the responsible

            treatment, there was a need for a factual assessment of the natural person (s) or

            of the legal person (s) which determine "the purpose" and "the means" of the

            treatment, the concept being defined broadly with a view to protecting

            persons concerned . The Court also held that a natural person

            which, for reasons relating to it, exerts an influence on the processing of

            personal data and thus participate in determining the purpose and

            means of this processing can be considered as a controller

                        15
            treatment. In this case, these are well the union delegates who received the report



14
  CJEU judgment of May 13, 2014, Google Spain and Google, C-131/12, ECLI: EU: C: 2014: 317, para. 34; CJEU judgment of June 5, 2018,
Wirtschaftsakademie Schleswig-Holstein, C-210/16, ECLI: EU: C: 2018: 388, para. 28.
15 CJEU judgment of 10 July 2018, Jehovan todistajat, C-25/17, ECLI: EU: C: 2018: 551, para. 65 Beslissing on the merits 72/2021 - 18/21




            audit reports that would have passed it on to other colleagues. They themselves have

            determined the purposes and means of this new processing. So they would be

            who have become data controllers within the meaning of Article 4.7) of the GDPR.



        65. The contentious chamber cannot therefore examine possible infringements in the

            head of the defendant with regard to this additional treatment.

            additional elements. First, if the email sending the audit report contains

            indeed a confidentiality clause specifically providing for this prohibition of

            transfer to third parties, this in no way frees the data controller from a


            possible liability. Then, respect for the principle of minimizing

            data (see paragraph 59) could have limited the risks relating to the data

            personal data of the complainant.





    5) Regarding the response to the exercise of the right of access by the complainant




        66. According to article 15.1 of the GDPR, the data subject has the right to obtain

            controller confirmation that the personal data

            concerning are or are not processed. When this is the case, the person concerned

            has the right to obtain access to such personal data as well as to a series

            information listed in Article 15.1 a) -h) such as the purpose of processing its

            data, the possible recipients of their data as well as information

            relating to the existence of their rights, including the right to request rectification or

            the erasure of his data or even that of filing a complaint with the DPA.



        67. The Contentious Chamber recalls, as it had already established in its decision

            15/2021, that the right of access is one of the essential requirements of the right to


            data protection, since it constitutes the "front door" which allows the exercise

            other rights that the GDPR confers on the data subject.



        68. Although not expressly listed in Article 15.1, the basis for legality

            undeniably constitutes information that the data subject can request

            on the part of the controller, being specifically included in Article 13.1.c)

            as information to be provided to the data subject at the time of collection of

            its data.





16 Decision on the merits 15/2021 of 9 February 2021 (https://www.autoriteprotectiondonnees.be/publications/decision-quant-
au-fond-n-15-2021.pdf). Beslissing on the merits 72/2021 - 19/21



                                                                                         17
        69. As it has already explained in its decision 41/2020, the Chamber

             litigation recalls that Article 12 of the GDPR relating to the methods of exercising

             their rights by the data subjects provides in particular that the

             controller must facilitate the exercise of their rights by the person

             concerned (Article 12.2 of the GDPR) and provide them with information on the measures taken

             following his request as soon as possible and at the latest within a

             months from the request (article 12.3 of the GDPR). According to this same article, the time

             can be extended for an additional month, at the request of the data controller.




        70. Although he did not mention it in his conclusions, the complainant criticized

             on several occasions to the defendant the late nature of its response to its request

             access, exercised on the basis of Article 15.1 of the GDPR (see point 12). It appears coins

             of the file that the respondent's response was sent more than two months after the

             request (see points 10 and 11).



        71. In the present case, the defendant did not make use of this possibility

             to extend the response time. In its submissions the defendant acknowledged that it

             did not meet this deadline, as she indicated that she "cannot question

             the complainant's claim as to the late deadline in which the response was


             communicated ", even if it underlines that a response was ultimately provided.



On the basis of these elements, the Litigation Chamber finds a violation of Article 15.1 of

GDPR attached to articles 12.3 and 13.1c).





    6) Regarding corrective measures and sanctions




        72. Under Article 100 LCA, the Litigation Chamber has the power to:



     1 ° dismiss the complaint;

     2 ° order the dismissal;

     3 ° pronounce a suspension of the pronouncement;

     4 ° propose a transaction;

     5 ° issue warnings or reprimands;

     6 ° order compliance with the requests of the person concerned to exercise these rights;

     7 ° order that the person concerned be informed of the security problem;



17 Decision on the merits 41/2020 of 29 July 2020 (https://www.autoriteprotectiondonnees.be/publications/decision-quant-
au-fond-n-41-2020.pdf), §16. Beslissing on the merits 72/2021 - 20/21




     8 ° order the freezing, limitation or temporary or definitive prohibition of processing;

     9 ° order that the processing be brought into conformity;

     10 ° order the rectification, restriction or erasure of data and the notification of

     these to the data recipients;

     11 ° order the withdrawal of accreditation of certification bodies;

     12 ° give periodic penalty payments;

     13 ° issue administrative fines;

     14 ° order the suspension of transborder data flows to another State or a

     international body;


     15 ° transmit the file to the public prosecutor's office in Brussels, who informs them of

     follow-up given to the case;

     16 ° decide on a case-by-case basis to publish its decisions on the website of the Authority

     Data protection.



        73. The Litigation Chamber emphasizes that under Article 221.2 ° of the Law of 30 July

             2018 on the protection of individuals with regard to the processing of

             personal data, it cannot impose a fine on the defendant,

             since it is a public authority within the meaning of Article 5.1 ° of the same law.




        74. The Contentious Chamber found that the defendant had violated Article 15.1 of

             GDPR attached to articles 12.3 and 13.1.c) by not responding to the access request of the

             complainant within the legal time limit. This point has also been explicitly recognized by the

             defendant.



        75. The Chamber also found that the Respondent had violated Article 6.1.e) of

             GDPR by processing data, consisting of sending the report

             audit to union representatives and the social conciliator, while the latter

             was not necessary for the exercise of public authority.



        76. In conclusion of the above, and in view of all the circumstances of the case, the


             Contentious Chamber considers that the reprimand (that is, the appeal to the order referred to in article

             58.2.b) of the GDPR) is in this case the effective, proportionate and dissuasive sanction
                                                         18
             which is binding on the defendant.



        77. It recalls that in its capacity as controller, the defendant is required

             respect the principles of data protection and must be able to



18As it has already had the opportunity to specify in several decisions, the Contentious Chamber recalls here that
the warning sanctions a breach that is likely to occur: see. Article 58.2.a) of the PDR in this regard. Beslissing on the merits 72/2021 - 21/21




             demonstrate that these are respected. It must also implement all

             the measures necessary for this purpose (principle of liability - Articles 5.2. and 24 of

             GDPR). The contentious chamber therefore invites the defendant to ensure that the

             process put in place to process requests for the exercise of rights under the

             GDPR ensure a response within the legally stipulated deadlines.






    7) Publication of the decision



         78. In view of the importance of transparency with regard to the process

             decision-making and decisions of the Litigation Chamber, this decision will be published

             on the website of the Data Protection Authority by deleting

             direct identification data of the parties and persons named, that they

             be physical or legal.





FOR THESE REASONS,


THE LITIGATION CHAMBER



    - Issue a reprimand against the defendant on the basis of article 100.1, 5 °

         LCA, for violation of Article 15.1 of the GDPR attached to Articles 12.3 and 13.1.c) and for
         violation of Article 6.1.e) of the GDPR.


    - Discard the complaint for other aspects without further action on the basis of Article 100.1, 1 ° LCA.




Under Article 108 § 1 LCA, this decision may be appealed against to the Court of

contracts (Brussels Court of Appeal) within 30 days of notification, with

the Data Protection Authority as respondent.







(Sé). Hielke hijmans


President of the Litigation Chamber











19 Decision on the merits 41/2020 of 29 July 2020 (https://www.autoriteprotectiondonnees.be/publications/decision-quant-
au-fond-n-41-2020.pdf), §16.